CVE-2026-43203

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> atm: fore200e: fix use-after-free in tasklets during device removal<br /> <br /> When the PCA-200E or SBA-200E adapter is being detached, the fore200e<br /> is deallocated. However, the tx_tasklet or rx_tasklet may still be running<br /> or pending, leading to use-after-free bug when the already freed fore200e<br /> is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().<br /> <br /> One of the race conditions can occur as follows:<br /> <br /> CPU 0 (cleanup) | CPU 1 (tasklet)<br /> fore200e_pca_remove_one() | fore200e_interrupt()<br /> fore200e_shutdown() | tasklet_schedule()<br /> kfree(fore200e) | fore200e_tx_tasklet()<br /> | fore200e-&gt; // UAF<br /> <br /> Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before<br /> the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to<br /> synchronize with any pending or running tasklets. Moreover, since<br /> fore200e_reset() could prevent further interrupts or data transfers,<br /> the tasklet_kill() should be placed after fore200e_reset() to prevent<br /> the tasklet from being rescheduled in fore200e_interrupt(). Finally,<br /> it only needs to do tasklet_kill() when the fore200e state is greater<br /> than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized<br /> in earlier states. In a word, the tasklet_kill() should be placed in<br /> the FORE200E_STATE_IRQ branch within the switch...case structure.<br /> <br /> This bug was identified through static analysis.